System and method for processing and protecting content

ABSTRACT

Systems and methods that process and protect content are provided. In one example, a system may include, for example, a first device coupled to a second device. The first device may include, for example, an integrated circuit that may include a content processing system and a security system. The security system may include, for example, a digital rights manager. The first device and the second device may be part of a network. The network receives content and control information via the first device. The content processing system processes incoming content based upon at least the control information. The integrated circuit protects the content before placing the content on the network.

RELATED APPLICATIONS

[0001] This application makes reference to, claims priority to and claims benefit from U.S. patent application Ser. No. 60/125,174, entitled “Home Phoneline Network Architecture” and filed on Mar. 19, 1999; U.S. patent application Ser. No. 09/525,872, entitled “Home Phoneline Network Architecture” and filed on Mar. 15, 2000; U.S. patent application Ser. No. 60/216,588, entitled “Concealment of Device Input Parameters” and filed on Jul. 7, 2000; U.S. patent application Ser. No. 09/900,224, entitled “Concealment of Device Input Parameters” and filed on Jul. 6, 2001; U.S. patent application Ser. No. 60/263,793, entitled “Processing Multiple Security Policies Applied to a Data Packet” and filed on Jan. 24, 2001; U.S. patent application Ser. No. 10/053,904, entitled “Processing Multiple Security Policies Applied to a Data Packet” and filed on Jan. 24, 2002; U.S. patent application Ser. No. 10/141,197, entitled “System and Method for Configuring Device Features via Programmable Memory” and filed on May 8, 2002; U.S. patent application Ser. No. 10/141,599, entitled “System and Method for Programming Non-Volatile Memory” and filed on May 8, 2002; U.S. patent application Ser. No. 10/141,549, entitled “System and Method for Securely Controlling Access to Device Functions” and filed on May 8, 2002; U.S. patent application Ser. No. 10/153,338, entitled “System and Method for Protecting Transport Stream Content” and filed on May 22, 2002; U.S. Provisional Patent Application Serial No. 60/413,871, entitled “System and Method for Securely Buffering Content” and filed on Sep. 25, 2002; U.S. Provisional Patent Application Serial No. 60/414,080, entitled “System and Method for Securely Handling Control Information” and filed on Sep. 27, 2002; and U.S. Provisional Patent Application Serial No. 60/410,771, entitled “Method and System for Integrating Digital Copy Protection and Secure Media Management in Set-Top-Boxes (STB)” and filed on Sep. 13, 2002; U.S. patent application Ser. No. 10/310,075, entitled “System and Method for Securely Buffering Content” and filed on Dec. 4, 2002; U.S. patent application Ser. No. 10/310,083, entitled “System and Method for Securely Handling Control Information” and filed on Dec. 4, 2002; and U.S. patent application Ser. No. 60/419,711, entitled “System and Method for Processing and Protecting Content” and filed on Oct. 17, 2002.

INCORPORATION BY REFERENCE

[0002] The above-referenced United States patent applications are hereby incorporated herein by reference in their entirety.

BACKGROUND OF THE INVENTION

[0003] Content and rights protection present major obstacles to accessing quality content on content delivery systems. Currently there are no standards for digital rights management (DRM). Instead, there are a variety of proprietary DRM methods and schemes. Therefore, interoperability between different DRM methods does not exist and limits the range of distribution possibilities. Similarly, conflicting conditional access systems used by video delivery systems have limited product competition and content distribution.

[0004] Furthermore, conventional DRM products do not provide adequate solutions for use in home networks. They consider only the delivery of content to the user and do not take into account distribution of the content within the home.

[0005] Further limitations and disadvantages of conventional and traditional approaches will become apparent to one of ordinary skill in the art through comparison of such systems with some aspects of the present invention as set forth in the remainder of the present application with reference to the drawings.

BRIEF SUMMARY OF THE INVENTION

[0006] Aspects of the present invention may be found in, for example, systems and methods that process and protect content. In one embodiment, the present invention may provide a system that processes and protects content. The system may include, for example, a first device coupled to a second device. The first device may include, for example, an integrated circuit that may include a content processing system and a security system. The security system may include, for example, a digital rights manager. The first device and the second device may be part of a network. The network receives content and control information via the first device. The content processing system processes incoming content based upon at least the control information. The integrated circuit protects the content before placing the content on the network.

[0007] In another embodiment, the present invention may provide a system that processes and protects content. The system may include, for example, a plurality of devices coupled to a server via a network. The server may include, for example, an application specific integrated circuit (ASIC). The ASIC may include, for example, hardware modules capable of performing the following: processing content and control information, distributing content on the network, and protecting content distributed on the network.

[0008] In yet another embodiment, the present invention may provide a method that process and protects content. The method may include one or more of the following: receiving protected content and control information in an integrated circuit; processing, via the integrated circuit, the content based at least upon the control information; protecting the content, via the integrated circuit, before leaving the integrated circuit; and distributing the protected content on a network from the integrated circuit.

[0009] These and other features and advantages of the present invention may be appreciated from a review of the following detailed description of the present invention, along with the accompanying figures in which like reference numerals refer to like parts throughout.

BRIEF DESCRIPTION OF THE DRAWINGS

[0010]FIG. 1A shows a block flow diagram illustrating an embodiment of a system that provides content processing and protection according to the present invention.

[0011]FIG. 1B shows a block flow diagram illustrating an embodiment of a system that provides content processing and protection according to the present invention.

[0012]FIG. 2 shows a block flow diagram illustrating an embodiment of a system that provides content distribution and protection using a home gateway digital rights manager according to the present invention.

[0013]FIG. 3 shows a block diagram illustrating an embodiment of a home network according to the present invention.

[0014]FIG. 4 shows a block diagram illustrating an embodiment of a digital rights management (DRM) architecture according to the present invention.

[0015]FIG. 5 shows a block diagram illustrating an embodiment of a DRM architecture with embedded content security according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION

[0016]FIG. 1A shows a block flow diagram illustrating an embodiment of a system that provides content processing and protection according to the present invention. The system may include, for example, a set top box system 10, home devices 30, a content provider 40, a content protector 50, a clearinghouse 60, a streaming server 70, a web server 80 and a video server 90. The set top box system 10 may include, for example, an integrated circuit 20 that may be adapted to provide content processing and content protection. In one embodiment, the integrated circuit 20 may include an application specific integrated circuit (ASIC). In another embodiment, some components of the system in addition to the set top box system 10 may include respective integrated circuits 20. For example, in FIG. 1B, one or more of the home devices 30, the clearinghouse 60, the streaming server 70, the web server 80 or the video server 90 may each include a respective integrated circuit 20. Although illustrated as a set top box system, the present invention may contemplate other systems and devices that process or protect content such as, for example, computers, media servers, etc.

[0017] As illustrated, the content provider 40 is coupled to the content protector 50. The content protector 50 is coupled to the streaming server 70, the web server 80 and the video server 90. The streaming server 70, the web server 80 and the video server 90 are coupled to the set top box system 10. The content protector 50 is also coupled to the clearinghouse 60 which, in turn, is coupled to the set top box system 10. The clearinghouse 60, the streaming server 70, the web server 80 and the video server 90 may be coupled to the set top box system 10 via, for example, a broadband service system (indicated generally in the FIGS. 1A-B as a dashed line). The set top box system 10 is coupled to the home devices 30. The set top box system 10 may be coupled to the home devices 30 via, for example, wired communications means (e.g., wires, cables, etc.) or wireless communications means (e.g., radio signals, infrared signals, optical signals, etc.) The set top box 10 may also employ any number of communication protocols or standards such as, for example, local area network (LAN), wide area network (WAN), Ethernet, Home Phoneline Network Alliance (HPNA), Bluetooth, digital visual interface (DVI), IEEE 802, IEEE 802.11a, IEEE 802.11b, IEEE 1394, etc.

[0018] In operation, content is provided by the content provider 40. The content may include, for example, data, audio, video, instructions, usage requirements, etc. The content protector 50 protects the content by using, for example, an encryption scheme, a scrambling scheme, etc. The usage terms are sent by the content protector 50 to the clearinghouse 60. The protector 50 also sends the content to the streaming server 70, the web server 80 and the video server 90. When a subscriber requests to display a particular content such as, for example, a particular program (e.g., cable programming, satellite programming, pay-per-view programming, video-on-demand programming, internet access, a multimedia presentation, etc.) on a particular channel on a particular home device 30 (e.g., a home display), then the integrated circuit 20 of the set top box 10 requests access to the program from the clearinghouse 60. The clearinghouse 60 may be, for example, an e-commerce services clearinghouse license server. The clearinghouse 60 then checks the access request against stored usage terms associated with the program. The clearinghouse 60 then sends an access license (e.g., entitlements) to the integrated circuit 20. The integrated circuit 20 then requests content from the streaming server 70, the web server 80 and/or the video server 90 for distribution in, for example, a home network.

[0019] The integrated circuit 20 may perform one or more of the following functions. The integrated circuit 20 may, for example, process the content for display on one or more of the home devices 30. For example, the integrated circuit 20 may include a movie pictures experts group (MPEG) decoding engine including, for example, a digital demodulator, an analog demodulator, an MPEG transport engine, a video decompression engine, an audio decompression engine, etc. The integrated circuit 20 may also prepare the content for distribution on the home network.

[0020] The integrated circuit 20 may protect content leaving the integrated circuit 20 or the set top box system 10 and may recover protected content entering the integrated circuit 20 or the set top box system 10. For example, content may be received by the integrated circuit 20 from the servers 70, 80, 90 in a protected format. The integrated circuit 20 may then recover content from the received protected content. Furthermore, to protect the content from end to end, the content may be protected before leaving the integrated circuit 20 for one or more of the home devices 30. In another example, the set top box system 10 may be part of a personal video recording (PVR) system. Accordingly, a storage device may be coupled to the integrated circuit 20. The storage device may be, for example, an electrical storage device, a magnetic storage device, an electromagnetic storage device, an optical storage device, a mechanical storage device, a storage network or some combination thereof. However, to securely buffer the content in the storage device, content sent from the integrated circuit 20 to the storage device is protected before the content leaves the integrated circuit 20. Examples of such systems may be found, for example, in U.S. Provisional Patent Application Ser. No. 60/413,871 entitled “System and Method for Securely Buffering Content” and U.S. Patent Application Ser. No. 10/310,075, entitled “System and Method for Securely Buffering Content,” which were incorporated by reference in their entirety.

[0021] The integrated circuit 20 may use the access license from the clearinghouse 60 to determine to which, if any, of the home devices 30 the content may be distributed. Furthermore, the integrated circuit 20 may process control information (e.g., digital rights management (DRM) controls, copy control information (CCI), etc.) in a secure manner. The control information may be used to affect the content processing as well as the control information itself. For example, the control information may be embedded in the transport stream received from the servers 70, 80, 90 indicating, for example, that the content may be copied only once. After the content is copied once, the control information may be changed by the integrated circuit 20, which due to its high level of security is a trusted party, to reflect that the content has been copied once (e.g., change control information to indicate that no more copying of the content is allowed). The integrated circuit 20 may be adapted, for example, to validate control information, to process control information, to affect content processing and to display in light of the validated and processed control information and to modify the control information. Example of such a system may be found, for example, in U.S. Provisional Patent Application Ser. No. 60/414,080 entitled “System and Method for Securely Handling Control Information” and U.S. patent application Ser. No. 10/310,083 entitled “System and Method for Securely Handling Control Information”, which were incorporated by reference in their entirety.

[0022] The integrated circuit 20 may be adapted to securely control set top box system functions and features. For example, the integrated circuit 20 may include a memory array such as, for example, a non-volatile memory (e.g., a one-time programmable non-volatile memory). The non-volatile memory may include, for example, a data array and banks of mode control bits that may be initially programmed so that the subscriber can access particular features and functions provided by the integrated circuit 20. For example, the mode control bits may be one-time programmed by the subscriber or by the manufacturer to enable particular features or functions. In addition, the mode control bits can be locked using locking bits or other locking mechanisms. The data array may include, for example, security information such as a device identification number and keys that may be locked physically by the one-time programmable memory as well as logically by a cyclical redundancy check (CRC) stored in the non-volatile memory. In addition, the memory array may be further programmed to enable particular features and functions if the subscriber can provide authorization via, for example, a challenge/response mechanism, a password authentication or other authorizing schemes. The integrated circuit 20 may also detect if it has been tampered with and invalidate the memory array, thereby making the integrated circuit 20 useless or thereby allowing the integrated circuit 20 to provide only the most basic services. Examples of such systems may be found, for example, in U.S. patent application Ser. No. 10/141,197 entitled “System and Method for Configuring Device Features via Programmable Memory;” U.S. patent application Ser. No. 10/141,599 entitled “System and Method for Programming Non-Volatile Memory;” and U.S. patent application Ser. No. 10/141,549 entitled “System and Method for Securely Controlling Access to Device Functions,” which were incorporated by reference in their entirety.

[0023] The integrated circuit 20 may also determine access via a conditional access card coupled to an interface coupled to the integrated circuit 20 and protect content between the integrated circuit 20 and the conditional access card. The conditional access card may be, for example, a personal computer memory card international association (PCMCIA) card, a smart card, an interface car, etc. The conditional access card may be a printed circuit board that is plugged into, mounted on, or integrated with a motherboard on which is located the integrated circuit 20. The conditional access card may be, for example, a common interface card or a point of deployment (POD) module. Examples of such systems may be found, for example, in U.S. patent application Ser. No. 10/153,338 entitled “System and Method for Protecting Transport Stream Content,” which was incorporated by reference in its entirety.

[0024] The integrated circuit 20 may also provide a home gateway digital rights manager. The home gateway digital rights manager may be adapted to, for example, encrypt content, authenticate end points, secure rights management and revoke rights. In support of DRM, the integrated chip 20 may be adapted to provide one or more of the following, including: security protection on digital interfaces; secure rights handling; and secure processing, input/output (I/O) and crypto-engine function. The latter option may provide restricted access to the memory and I/O; operational integrity; and a secure crypto-toolkit.

[0025] The home gateway digital rights manager may include, for example, a hardware crypto-toolkit that may be used for DRM, conditional access and e-commerce. The toolkit may provide a set of cryptographic and security capabilities that can be used by the DRM provider in support of its communication protocols. Hardware tools offer higher performance levels (e.g., processing speeds) and provide security over software architectures. Hardware tools also offer hardware protection for key transfers and key storage while, for example, being staged for insertion encrypt/decrypt blocks or authentication algorithms.

[0026] In one embodiment, the DRM architecture offers a comprehensive security capability including one or more of the following: access control; content protection; rights management; privacy; full-home network coverage; flexibility with respect to content delivery and distribution; support for various transport formats (e.g., download, streaming, etc.); PVR store-and-forward; and home networking.

[0027] Some aspects of the present invention may provide some or all of the security functionality in the hardware of an integrated circuit. The hardware of the integrated circuit may also be adapted to provide content processing. In one embodiment, all of the security functionality may be embedded in the same integrated circuit (e.g., a single integrated chip) that also provides content processing.

[0028]FIG. 2 shows a block flow diagram illustrating an embodiment of a system that provides content distribution and protection using a home gateway digital rights manager according to the present invention. The home gateway digital rights manager provides DRM support into the home and also provides an end-to-end protection solution.

[0029]FIG. 3 shows a block diagram illustrating an embodiment of a home network according to the present invention. The home network (e.g., an HPNA home network) 130 may include, for example, a home gateway digital rights manager 100 and clients 110 (e.g., HPNA clients). The home gateway digital rights manager 100 may also be coupled to a WAN 120.

[0030] In one embodiment, the home gateway digital rights manager 100 may decrypt content received on the WAN 120 according to a conditional access system or a DRM system and then re-encrypt the content to be distributed on the home network using a home network encryption. For example, the data encryption standard (DES), triple DES (3DES) or 3DES PVR encryption may be used to protect content on the home network 130. In addition, all nodes may be authenticated to the home gateway digital rights manager 100.

[0031]FIG. 4 shows a block diagram illustrating an embodiment of a DRM architecture according to the present invention. The DRM architecture includes, for example, a managing block 140 that supports a baseline DRM product (e.g., a standards-based DRM product), managing blocks 150 that support proprietary DRM products, an application program interface (API) and a block 160 that supports crypto tools and DRM service controls. Accordingly, the DRM architecture can support either a baseline DRM product or a proprietary DRM product. The DRM architecture may also be able to convert the proprietary DRM control information into, for example, baseline DRM control information or other proprietary DRM control information so as to overcome interoperability problems between DRM methods. Furthermore, the DRM architecture also may support, complement and supplement a particular manufacturer's proprietary security hardware and software capabilities by providing access to the crypto tools available from the integrated circuit 20. For example, the crypto tools may extend the management of content while, for example, being recorded or shared with other devices.

[0032] Crypto tools may include, for example, one or more of the following cryptographic hardware modules in support of content protection and security. For example, a DVB common descrambler and DES/3DES devices may be used in MPEG transport decryption for conditional access. DES/3DES devices may be used in personal video recording. DVI/HDCP and PVR DES/3DES may be used in home networking. Furthermore, crypto tool may include a general set of cryptographic tools (e.g., for internet protocol and above), including: DES, 3DES, RC4, advanced encryption standard (AES); secure hash algorithm-1 (SHA1), message digest 5 (MD5), HMAC-SHA1, HMAC-MD5, public key acceleration (RSA/DSS/DH), etc.

[0033] In one embodiment, the present invention may provide a highly integrated system-on-a-chip ASIC architecture capable of merging content protection and security functions with audio and video decoding and processing functions. With a baseline DRM or common DRM standard, compliant functions can be built-in to single-chip devices and can eliminate the need and costs associated with special purpose hardware security modules. With content protection and security capabilities integrated with the processing and interface functions of a single-chip device, the single-chip device may provide full-hardware tamper resistance or supplement software tamper-resistance schemes.

[0034]FIG. 5 shows a block diagram illustrating an embodiment of a DRM architecture with embedded content security according to the present invention. The home network may include, for example, home devices. One or more of the home devices may include, for example, an embedded content security element. One or more of the home devices may be adapted for receiving conditional access cards. In one example, the home device may be adapted to receive a conditional access card for use in e-commerce or a conditional access card for use in renewing or upgrading features or functions of the home device. One or more of the home devices may be coupled to a remote system that, for example, may provide content and control. The remote server may include, for example, a network element (e.g., a server) a content security element and a rights management system.

[0035] In operation, a home device requests particular programming from the remote system. The home device may also send content control messages. The content control messages may reflect information received by the home device from any conditional access cards as well as other information stored in the home device. For example, the content control message may include a digital certificate from a trusted authority (e.g., a certification authority) that may assist the remote system in verifying the identity of the home device or the home network. The content control message may be parsed by the content security element which may request and obtain particular rights for the rights management system. The particular rights granted to the home device may be based upon, for example, the content control messages and the particular program request received by the remote system. Based upon the granted rights, the remote system may send the particular program as protect content with accompanying control information. The home device may then process the protected content received from the remote system based upon, for example, the control information and the available or enabled home device features or functions. The home device may then send to requested content to one or more of the other home devices on the home network. The content may be protected with, for example, a particular home network encryption. The distribution of the content within the home network may be limited, for example, by the control information.

[0036] By combining one or more of the above-identified functions on a single integrated chip (e.g., an ASIC), the system-on-a-chip device may offer one or more of the following advantages. For example, integration may result in lower overall product costs. Integration onto a single device may include the integration of DRM functions, thereby sustaining a higher level of tamper resistance. Furthermore, the security of the set top box system 10 may be enhanced over software-only environments or segregated security modules.

[0037] By using hardware protection, access to content and content protection parameters can be restricted. Hardware protection is more robust than software-only tamper resistance schemes. Furthermore, if the hardware is attacked, the attacks are not easily scaled to larger populations. In contrast, hacked software is relatively easy to distribute to a large population of unauthorized users. With hardware protections, the endpoints can gain a higher level of trust. The distribution of high-value content may directly result from the deployment of highly trusted, interoperable equipment and systems for the distribution of content.

[0038] While the present invention has been described with reference to certain embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the present invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the present invention without departing from its scope. Therefore, it is intended that the present invention not be limited to the particular embodiment disclosed, but that the present invention will include all embodiments falling within the scope of the appended claims. 

What is claimed is:
 1. A system for processing and protecting content, comprising: a first device comprising an integrated circuit that comprises a content processing system and a security system, the security system comprising a digital rights manager; and a second device coupled to the first device, the first device and the second device being part of a network, wherein the network receives content and control information via the first device, wherein the content processing system processes incoming content based upon at least the control information, and wherein the integrated circuit protects the content before placing the content on the network.
 2. The system according to claim 1, wherein the security system comprises a non-volatile memory, the non-volatile memory comprising a set of mode control bits, each mode control bit being one-time programmable, and wherein device features of the first device are securely programmed via the set of mode control bits.
 3. The system according to claim 2, wherein the non-volatile memory comprises a one-time programmable memory that stores at least one of a cryptographic key and a device identification number of the first device.
 4. The system according to claim 1, wherein the first device is coupled to a storage device.
 5. The system according to claim 4, wherein the first device buffers or stores content in the storage device, wherein the content buffered or stored in the storage device is protected before leaving the integrated circuit, and wherein the protected content buffered or stored in the storage device is recovered after entering the integrated circuit.
 6. The system according to claim 1, wherein the integrated circuit protects the content placed on the network using a network encryption scheme.
 7. The system according to claim 1, wherein the integrated circuit is coupled to a conditional access card.
 8. The system according to claim 7, wherein information flowing between the conditional access card and the integrated circuit has been at least one of encrypted and copy protected.
 9. The system according to claim 1, wherein the integrated circuit comprises a crypto tool kit.
 10. The system according to claim 9, wherein the crypto tool kit comprises cryptographic hardware modules that support at least one of DVB descrambling, DES, 3DES, DVI/HDCP, PVR DES/3DES, RC4, AES, SHA1, MD5, HMAC-SHA1, HMAC-MD5 and RSA/DSS/DH.
 11. The system according to claim 1, wherein the digital rights manager supports a first type of digital rights management and a second type of digital rights management.
 12. The system according to claim 11, wherein the digital rights manager supports interoperability between the first type of digital rights management and the second type of digital rights management.
 13. The system according to claim 1, wherein the first device comprises at least one of a set top box, a media server, a home media server and a computer.
 14. The system according to claim 1, wherein the network comprises a home network.
 15. The system according to claim 1, wherein the integrated circuit comprises an application specific integrated circuit (ASIC).
 16. A system for processing and protecting content, comprising: a plurality of devices; and a server coupled to the plurality of device via a network, the server comprising an ASIC, the ASIC comprising hardware modules capable of performing the following: processing content and control information, distributing content on the network, and protecting content distributed on the network.
 17. The network according to claim 16, wherein the ASIC comprises a digital rights manager.
 18. The network according to claim 16, wherein the ASIC comprises a crypto tool kit.
 19. The network according to claim 16, wherein the ASIC comprises a non-volatile memory.
 20. The network according to claim 19, wherein the non-volatile memory comprises a one-time programmable non-volatile memory, wherein the one-time programmable non-volatile memory comprises a set of mode bits, and wherein features of the server are enabled or disabled via programming bits in the set of mode bits.
 21. The network according to claim 19, wherein the non-volatile memory comprises a one-time programmable non-volatile memory, wherein the one-time programmable non-volatile memory stores at least one of a cryptographic key value and a device identification number.
 22. A method for processing and protecting content, comprising: receiving protected content and control information in an integrated circuit; processing, via the integrated circuit, the content based at least upon the control information; protecting the content, via the integrated circuit, before the content leaves the integrated circuit; and distributing the protected content on a network from the integrated circuit.
 23. The method according to claim 22, wherein the content is protected using a crypto tool kit. 